Vulnerability Name:

CVE-2021-22118 (CCN-202705)

Assigned:2021-05-25
Published:2021-05-25
Updated:2022-10-25
Summary:In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): Low
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Partial
Vulnerability Type:CWE-668
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2021-22118

Source: XF
Type: UNKNOWN
vmwaretanzu-cve202122118-priv-esc(202705)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210713-0005/

Source: CCN
Type: VMware Tanzu Web site
CVE-2021-22118: Local Privilege Escalation within Spring Webflux Multipart Request Handling

Source: MISC
Type: Third Party Advisory
https://tanzu.vmware.com/security/cve-2021-22118

Source: CCN
Type: IBM Security Bulletin 6486305 (Rational License Key Server)
A Privilege Escalation vulnerability in Pivotal Spring Framework affects IBM LKS Administration & Reporting Tool and its Agent

Source: CCN
Type: IBM Security Bulletin 6497275 (Watson Machine Learning Accelerator)
A vulnerability in Spring Framework affects IBM Watson Machine Learning Accelerator

Source: CCN
Type: IBM Security Bulletin 6497499 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6505281 (Cloud Pak for Security)
IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-22118

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.2.0 and < 5.2.15)
  • OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.3.0 and < 5.3.7)

    • Configuration 2:
  • cpe:/a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_element_manager:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:documaker:*:*:*:*:*:*:*:* (Version >= 12.6.0 and <= 12.6.4)
  • OR cpe:/a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.3.1)
  • OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version <= 8.0.25)
  • OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* (Version >= 16.0 and <= 19.0)
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.8 and <= 8.1.1)
  • OR cpe:/a:oracle:insurance_rules_palette:11.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.1.0)
  • OR cpe:/a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* (Version >= 8.2.0 and <= 8.2.3)

    • Configuration 3:
  • cpe:/a:netapp:hci:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:vmware:spring_framework:5.2.14:*:*:*:*:*:*:*
  • AND
  • cpe:/a:oracle:retail_order_broker_cloud_service:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    vmware spring framework *
    vmware spring framework *
    oracle retail order broker 16.0
    oracle retail predictive application server 15.0.3
    oracle enterprise data quality 12.2.1.3.0
    oracle retail assortment planning 16.0
    oracle retail financial integration 16.0.3
    oracle communications network integrity 7.3.6
    oracle retail integration bus 16.0.3
    oracle insurance rules palette 11.0.2
    oracle insurance rules palette 11.1.0
    oracle commerce guided search 11.3.2
    oracle communications element manager *
    oracle communications interactive session recorder 6.4
    oracle communications unified inventory management 7.4.1
    oracle documaker *
    oracle enterprise data quality 12.2.1.4.0
    oracle healthcare data repository 8.1.0
    oracle insurance policy administration *
    oracle mysql enterprise monitor *
    oracle retail customer management and segmentation foundation *
    oracle communications brm - elastic charging engine 12.0.0.3
    oracle communications session report manager *
    oracle communications session route manager *
    oracle retail financial integration 14.1.3.2
    oracle retail integration bus 14.1.3.2
    oracle retail integration bus 15.0.3.1
    oracle retail merchandising system 19.0.1
    oracle retail predictive application server 14.1.3
    oracle communications cloud native core binding support function 1.9.0
    oracle communications cloud native core policy 1.14.0
    oracle communications cloud native core security edge protection proxy 1.6.0
    oracle communications cloud native core service communication proxy 1.14.0
    oracle communications cloud native core unified data repository 1.14.0
    oracle communications unified inventory management 7.4.2
    oracle communications unified inventory management 7.5.0
    oracle financial services analytical applications infrastructure *
    oracle insurance rules palette 11.2.7
    oracle insurance rules palette 11.3.0
    oracle insurance rules palette 11.3.1
    oracle retail financial integration 15.0.3.1
    oracle retail predictive application server 16.0.3
    oracle utilities testing accelerator 6.0.0.1.1
    oracle utilities testing accelerator 6.0.0.2.2
    oracle utilities testing accelerator 6.0.0.3.1
    oracle communications diameter intelligence hub *
    oracle communications diameter intelligence hub *
    netapp hci -
    netapp management services for element software -
    vmware spring framework 5.2.14
    oracle retail order broker cloud service 16.0
    oracle retail predictive application server 14.1.3
    oracle retail predictive application server 15.0.3
    ibm data risk manager 2.0.6
    ibm cloud pak for security 1.7.2.0